On September 14th, 2017, we published revised versions of our Privacy Policy, Terms of Service and Website Use Policy and published a Cookie Policy. Your continued use of Lynda.com means you agree to these revised documents, so please take a few minutes to read and understand them.

Renewing a certificate

- So we've successfully revoked our certificate,now we just need to completethe next two steps in this process.And one of them is technically out of order.The request for a new certificate can happenfrom the server that we're doing it onbecause everything is self-enclosed on our test system.Or you could have someone doing this from an external serverin which case they would make a requestbased on their private key, and they'd send it to you,answer that request, you'd approve it,and you'd send them back a renewed certificate.

So we haven't done that initial certificate request yet.In this movie, we're going to make the request,and we're also going to issue a new certificatebased on that request.So let's get started with that.As you can see, openssl, and we're gonna userequest, request new nodes.We're gonna generate an out file at,and I'm typing these things really literally,so you know exactly where they are.But I'm also in some movies giving you examplesof places where you can cd into a directory,then print your working directory,and then not have to type out full pathways.

I'm doing both so that you get a sense of how this works.This is more to give you a senseof where you are in the system here.So openSSL/groundswell.I was hitting tab to autocomplete,and it was beeping at me telling me no,that doesn't exist there.And it was because I was thinking I was someplace else.And so there we are, groundswell/req/.There we are.And I'm going to call this something completely ridiculous.Something so that you know that it's different.Right, because in our environment, we've got groundswell,we've got caq, we've got groundswell a key, etc.

I'm gonna call this one fizzy.Because fizzy is really different.And this is our fizzy request.And what that's going to do, is it'll generate the thing,and it'll ask us for our information as you've seen before.Right, so state locality, organization.And I can even change this organization name.The thing is, you probably don't want to do that,because we're supposed to be creating a renewed certificate.Right, so we're gonna keep this the same.Organizational unit.And your common name.

And I'm skipping the email address as before.Extras, again, don't use a password like that, please, ever.And we're done, ok.And you saw the file system over here change as I did that.And we got, there it is.There's our fizzy request.(laughs)So at least it's there and at leastwe know what it is, right?I mean that really does make it very very different.So that's step one.So assuming that's happened now.You've done that either here or on your own server,or that has been done by someone who's asking youto renew something.They're gonna send you a new request.

Right, so you've gotta have that new requestin order for this next part to work.So this next part is going to approve and sign the requestand generate a new certificate that is not revoked.Right, so here we go.Again, we're going back to telling itwhere that config file is.There we are.And once again we're also telling it what the policy is.Then we need to tell it where the out files are.And I'm literally going to call this one fizzycert.So that's my out file.This is what I'm going to create with my new request.

And this is basically saying that the in filesare located in the requests folder.And that the request I want it to read is my fizzy request.And there we go.I apologize if anybody thinks this is silly,but I do try to throw a little bit of levityinto things because otherwise, man, this gets dry.Alright, here we go.So we're gonna hit enter, and this is going to go.Just to recap, openssl, hey, the certificate authority.We're going to configure using this configuration file.We're gonna set a policy of pretty much anything.

And out, we're going to push out this fizzycert.pem.This is going to be our new cert file.Right, so I'm being silly here.Don't be silly in your environment.Be serious.We're gonna use an in file, and that in fileis located over here in the requests folder insideof openssl/groundswell, this is where our ca is,and this is where the requests folder is,and it's called fizzy.And that's what it looks like if you were looking at itin the Finder in a graphical user interface.So, hitting return, and it's gonna ask usthat pass-phrase that we've set.

And hit return.And it gives us all of our details.Right, serial number two because thisis our second certificate, and it's serializing them,and that's awesome.The first one was serial number one.Right, and it tells us that this going to be validfrom today until 2015, so it's giving us a yearto make this all good.Do we wanna sign it?Yes we do!And one out of one certificate requested was certified,do we wanna commit this?Yes we do.And it tells us right here that it was certifiedfor another 365 days, which is fantastic,because that gives us another yearof functionality on this certificate.

And we are renewed.We are done.The rest of this is the same process as it wasat the end of chapter five, where we wouldthen make this certificate available to folks, and so forth.And that is all, on a self-signed environment.Of course in a public system where you havea public certificate, you would of course sendthat certificate signing request up to the ca in the cloud.So this would be Verisign, or Network Solutions, whoever.And then they would key and replace, and of courseall of their web sites are different.

Every system is different.And so navigating those systems, there's not much valuein showing you those, because it's differentwith all of them, you can choose any one of dozens.And that is it.So we are done renewing our certificate.That is what you will need to do in order to keep yourcertificate sort of rolling forward into the future.

Resume Transcript Auto-Scroll

Author

Released

10/8/2014

Secure Sockets Layer (SSL) is a cryptography protocol to protect web communication. Understanding Secure Sockets Layer takes the complicated subject of using TLS/SSL with public key infrastructure (PKI) for trusted encryption and identity verification, and breaks it down into easy-to-understand components that entry-level IT technicians, consultants, and support staff need to know—regardless of the types of computers, users, or networks supported. Join author Sean Colins for a focused and approachable course that will extend your knowledge of common SSL concepts and practices, including:

SSL communications

Certificate authorities

Public key infrastructures

Symmetric and asymmetric key pairs

Cryptographic hash functions

Encryption algorithms

Start now, and by the end of this course you'll have the knowledge to create SSL certificates, as well as revoke and renew them, from the command line.